EDITORIAL: US Needs a Cyber Deterrence Plan

Effective cyber deterrence requires the will and capacity to respond to cyber attacks with an equal or greater blow.

Page Content

Americans have a love affair with airplanes. We love their power and grace and marvel at their roar over air shows. We pay far less attention to rockets and satellites and even less to the invisible and dark art of cyber. These things are harder to see and understand.

They are every bit as important to the Air Force. As the US military ponders a future of peer competition, that future can be expected to meld air, space, and cyber. USAF’s ability to exert power is predicated on our strengths in those other domains.

Since World War II, it’s been Air Force doctrine that wars are won by taking the fight to the people. Attacking and disabling electric grids disrupts a society’s ability to function. When societies can’t function, they are more likely to give up. In both Kuwait and Kosovo, this was a key part of the US strategy.

At home, our own sensitivity to power outages is a major national weakness. “Surviving a Catastrophic Power Outage,” a new report from the President’s National Infrastructure Advisory Council, identifies the problems and offers a series of reforms to strengthen the resilience of that grid.

Until that’s done, we can look forward to more events like these:

A local Ohio blackout in 2003 triggered a chain reaction that took out 21 power plants in three minutes, plunging Baltimore, Detroit, Cleveland, New York, Ottawa, Toronto, and other cities into darkness and sparking fears of a terrorist strike. It took two days for most locations to recover.

Hurricane Maria destroyed Puerto Rico’s aging electric grid in 2017; the resulting power failure, which took 11 months to fix completely, was later blamed for as many as 3,000 deaths over the next six months.

Hurricane Michael flattened the Florida panhandle last fall, leveling Tyndall Air Force Base, and causing Air Force Chief of Staff Gen. David L. Goldfein to equate the storm with a surprise attack. That’s a good way to think about these things.

Yet in an increasingly connected world, failure of our digital systems and networks is an even greater risk than power disruption. Today, almost every industrial system, from water systems and power plants to air-conditioning systems and elevators, is remotely controlled and monitored via computer software and hardware. Called SCADA, for Supervisory Control and Data Acquisition, these systems make up what might be called the industrial Internet.

In January, the Wall Street Journal documented in stunning detail how Russian hackers sought to penetrate the computer networks of US electric utilities by attacking not the utilities themselves, but contractors and subcontractors. The cyberattack targeted companies in 24 states, Canada, and Great Britain using deception to exploit business relationships and trickery to break into systems and plant malware to enable later attacks and disruptions.

Now think about what happens when those same techniques are used to attack government or financial systems, and not just to crash infrastructure, but to inject bad data into good systems, raising doubts about the accuracy and reliability of the very data we rely on to make decisions. Undermining confidence in economic data and creating fake identities with real credentials are new twists on classic spy techniques and pose potentially serious risks to American economic and national security.

Consider the data breach at the Office of Personnel Management in 2014. The hackers got access to millions of records. But what worries intelligence insiders most was not what was taken. It was what might have been left behind that wasn’t there before.

The uproar over Russia’s influence campaigns before and since the 2016 elections provides an inkling of how fear and doubt can undermine trust in even the institutions most fundamental to our democracy.

In this digital age, where computers “in the cloud” help us make decisions and even find our way home, it’s communications networks, rather than power, that are now preeminent. We can survive a power outage as long as we can charge our phones in the car. Shut down the web, however, and we’re deaf, dumb, and blind.

Among our nation’s greatest strengths are our robust, independent financial system and our dynamic, innovative technology sector. Together they have contributed to building the world’s largest economy and among its most efficient. But our overwhelming reliance on both is our greatest vulnerability.

No surprise then that a recent Council of Foreign Relations’ survey of 500 experts said the greatest threat facing the US homeland is “a highly disruptive cyberattack on US critical infrastructure and networks.”

It’s not the military’s role to defend every civilian network. The line between military and civilian networks is getting thinner and grayer. The military increasingly relies on commercial satellites, technology, logistics, and network services. There are major national security implications to commercial infrastructure breakdowns.

Yet the United States has been vague about how it might respond in the event of a major cyber attack. Ambiguity has some advantages. If a rival doesn’t know how you might act, he might not be willing to take the risk to find out.

On the other hand, if the rival underestimates the potential response, the US could find itself mired in an otherwise avoidable conflict.

Cyber warfare is both offensive and defensive. Attackers will continue unrestrained unless they face a credible threat of retaliation. To be credible, however, US cyber warriors must be able to do two things: unambiguously assign blame and deliver an even more devastating blow in response to any attack.

Assigning blame in cyber is complicated. While practitioners exhibit signature moves and patterns, they also work hard to mask activities and their origins. US cyber warriors must get better and faster at attributing attacks, and the national leadership must be bolder and more willing to take action in response to attacks.

Just as nuclear deterrence is defined by the capability and clear will to respond in-kind quickly and decisively, effective cyber deterrence requires the will and capacity to respond to a cyber attack with an equal or greater blow.

That suggests the US military should be more transparent about its cyber response plans. While it still makes sense to withhold from view some elements of strategic military power, one can hold back too much. Adversaries can’t fear what they don’t know.